Created on
05-11-2020
07:58 AM
Edited on
06-24-2025
02:27 AM
By
Jean-Philippe_P
Description
This article describes how to alter the default login-attempt-limit and login-block-time for SSL VPN users.
Scope
FortiGate.
Solution
The default login-attempt-limit for SSL VPN users is 2, and the login-block-time is 60 seconds.
With these settings, if the firewall observes two consecutive incorrect username/password combinations from the same IP address within 60 seconds, the firewall will block attempts for the next 60 seconds and prompt with the message 'Too many bad login attempts. Please try again in a few minutes'.
After seeing this message, a user must wait for the login-block-time to elapse before trying again.
To modify this, configure the desired values in the CLI as shown below:
The above configuration can help mitigate brute force credential attacks through SSL VPN.
Note: Setting either login-attempt-limit or login-block-time to 0 disables the block. 'login-block-time' defines both the block time and the window within which failed attempts are considered consecutive.
To view the block-listed IP address, use the CLI command:
diagnose vpn ssl blocklist list
Note: The command is available starting FortiOS versions 7.2.6 and above, 7.4.1 and above.
Sample output:
Status: locked – indicates that user has reached maximum failed login-attempt.
Pending: indicates that user login attempts are less than the configured login-attempt-limit.
To delete an entry from the SSL VPN blocklist, use the CLI command :
diagnose vpn ssl blocklist del <all|vfid|addr>
Example output:
To view the total number to users with failed login attempts, use the CLI command :
diagnose vpn ssl blocklist count
This method does not apply to SAML user groups. SAML user groups use an Azure application, FortiAuthenticator, or other IDP authentication, not in the FortiGate. The FortiGate cannot count each incorrect username/password entry.
Related articles:
Technical Tip: How to unblock IP addresses from the SSL VPN blocklist
Technical Tip: SSL VPN timers explanation and SSL VPN Login Attempt Limit (aka 'Lockout')
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.